Smartphone passwords and privacy

An employee is provided a smartphone and cellular service by their employer. The employee leaves the company and returns the device. Then the employee is brought under investigation for by the SEC for insider trading activities. The SEC requests the password for the phone in an effort to build evidence for their case.

Is the employee required to surrender their passcode so that access can be granted to the smartphone?

The result may not surprise you but the reason will.

A US District Court ruled that that the employee was not required to surrender their password in SEC V. Huang as this could violate their Fifth Amendment right to privacy.

“Since the passcodes to Defendants’ work-issued smartphones are not corporate records, the act of producing their personal passcodes is testimonial in nature and Defendants properly invoke their fifth Amendment privilege. Additionally, the foregone conclusion doctrine does not apply as the SEC cannot show with “reasonable particularity” the existence or location of the documents it seeks. Accordingly, the SEC’s motion to compel the passcodes is denied. “

The case revealed that Capital One, the employer, did have policies stating that the company owned the device issued as well as corporate documents stored on the device. As you would expect, Capital One also required employees to use a passcode and by best practice the code should be private and not written down anywhere. Hence the court ruling that the passcode itself was not a corporate record.

The court also stated that,

“Each party argues based on established legal precedent m non-smartphone contexts involving the interplay between corporate records and encrypted information on computers. As we find the personal thought process defining a smartphone passcode not shared with an employer is testimonial, we deny the SEC’s motion to compel. “

I bet you’ve never considered making your password part of your “personal thought process”!

How far could this reach?

Could this apply to computer and laptop passwords? Would an employee be able withhold their password from an employer if they were not under investigation for criminal activity?

If the rationale of this decision carried forward then I would think it could be far reaching. Employers typically don’t assert ownership of the password or require they be stored where they are accessible. Hence they would be considered something personal.

If a Company wants maintain complete control and ownership of equipment issued to employees they should consider the following policies:

Create a policy that issues passwords to be used by employees on company owned equipment.

Designate a required storage area for passcodes.

Equip phones with software that allows a remote wipe of the device if the employee leaves.